Posted March 21st, 2007 by
rybolov
Me: So why is it that every single security problem I’ve had in the past 6 months has come down to personnel management? Either they’re not trained well enough or we don’t have enough or they’re staffed in the wrong job.
Steve: I think it’s because security is more about the people than it is the technology.
That Steve, he’s pretty smart sometimes….
Similar Posts:
Posted in Odds-n-Sods | No Comments »
Posted March 21st, 2007 by
rybolov
JD Meier wrote today about not saving the worst parts until last, and it reminded me of Meals Ready to Eat (MREs). I should probably lay claim to being the Northern Virginia Master of Obscurisms right now while I have your attention, but let me elaborate for a minute.
A case of MREs is 12 individual meals. That means that one person can, by the book, live off one case of MREs for 4 days assuming that they eat 3 times/day. That’s a little excessive, since most people can only eat 2/day because of time constraints.
Inside a case of MREs, there are 12 individual meals. Some are decent, like spaghetti or tuna with noodles. Some are not, like omelette with ham or corned beef hash. Keep this in mind, we’ll be using this little kernel of knowledge later.
So imagine this: You’re out in the woods for 2 weeks with just your 5-member team and your MREs. Let’s do the math on what you’re eating:
5 people x 14 days x 2 meals per day = 140 individual MREs or roughly 12 cases.
Now inside each case of MREs there are 2 foul-tasting MREs (omelette and CBH), which means 24 of them total. If the muldoons eat their favorite MREs first and work down the cases in order of most favorite to least favorite, then the last 3 days we are eating nothing but omelette and corned beef hash, and after being in the woods for 2 weeks, I just can’t bear it anymore.
Bad news does not get better with age. Neither does the MRE selection!
Moral of this story: Take the MRE that I throw at you and don’t read what the label says, it’s the luck of the draw.
Secondary moral of this story: You can’t store up badness and expect to tackle it later. You have to take it as it comes.
Tertiary moral of this story: Don’t join the army or work in IT. =)
Similar Posts:
Posted in Army, Odds-n-Sods, Rants, What Doesn't Work | 1 Comment »
Posted March 20th, 2007 by
rybolov
Our government hasn’t had a ton of time to get their act together. It’s only been 225 years, give or take, and in that time, we might have learned a thing or two.
So why is it that it took us this long before we could get one agency to recognize the clearances from another agency? Even though OMB keeps trying to unify the clearance management systems, as a managed service provider I still have to convince every new client that I’m trustworthy because I have a DoD Top Secret.
So what’s the benefit? Well, from my angle, one unified clearance system means economy of scale simply by avoiding a “Not Invented Here” attitude. If I have 5 clients, 100 employees, and $5000 per person for a clearance, the savings add up really quickly if I just have to clear people once.
Now the strange thing is that by agencies having their own individual clearance system, we are creating an artificial scarcity of cleared people. For somebody with a TS/SCI, starting salary in the DC area is around $80K/year, simply because of lack of supply. That’s an indirect cost that we could avoid.
Similar Posts:
Posted in Odds-n-Sods, Outsourcing, What Doesn't Work, What Works | No Comments »
Posted March 20th, 2007 by
rybolov
This is an exceptionally well-written piece at CSOOnline. I still reread it from time to time.
For the record, I’m a geek at heart but a soldier and cop functionally and a mandarin and banker only when I’m forced to. =)
Similar Posts:
Posted in Odds-n-Sods, Risk Management | No Comments »
Posted March 15th, 2007 by
rybolov
Want me to take a stab at what the information security management world will look like in 5 years? I think I’m starting to see the start of it, and I’ll tell you about it if you sit for awhile and listen.
The US government does some things right. Yes, you heard me correctly.
You probably think by now that all I do now is whine about huge levels of gross incompetence I see on a daily basis and how I could singlehandedly run the government all while sitting at home, sipping on a coke, and crunching data on my own personal cluster of beowulf clusters.
But really, the government does some things right. The folks at the NIST FISMA project do some very amazing things, and I’m not just saying that to suck up to Ron and Marianne.
One thing that the government does right is to make their guidelines available for free to anyone over the internet. And some of them beat the pants off what you would find in the commercial world. Inside ISM-Community, when we started the Risk Assessment Methodology Project, I personally found it hard to ignore the fact that Special Publication 800-30 was staring me in the face. How really do you improve on it? Well, for starters you take 800-30 as a base process and then add more specific guidelines, examples, and templates, which is pretty much what our methodology started out as.
One of the things that NIST does really well is to provide you with a framework. It’s extensible to include various standards (PCI, 7799, and the government’s home-grown 800-53), tailorable, and is designed to hook security into the system development life cycle (SDLC). It’s entirely free as in beer and free as in you have the ability to import into your own processes.
Would you be surprised if I told you the framework was certification and accreditation?
Yes, I’ve criticized certification and accreditation a bazillion times. Well, I haven’t really criticized the process–personally I think it’s really strong. Instead, I criticize the implementation of the process and how the people who are tasked with C&A usually do not have the technical skills to accomplish what they are trying to do.
I’ve seen 2 RFPs out on the street in the past couple of months for C&A services for local governments.
This is driven by auditors and practitioners coming from the federal government who are making recommendations on joint systems, like RealID will end up if the states don’t rebel like it seems they are starting to do.
The future will bring along C&A, and it might even turn out to be the vehicle for needs determination and risk assessment, but C&A has to adapt and lose some of it’s heavy baggage along the way.
Similar Posts:
Posted in FISMA, NIST, Risk Management, What Works | No Comments »
Posted March 15th, 2007 by
rybolov
So I had a conversation today that went something like this:
Them: “You have gaps in your resume, the bill rate people won’t like it”
Me: “Well, I screwed electronic components together during this first gap because I just got out of the army and was adjusting to the civilian world after 8 years of wearing a tree suit, then I worked at a chemical plant during this time because it was the dying end of the dotcom era and I needed to eat, and then this last gap I was activated and sent to Afghanistan.”
So while I’m not exactly ashamed of the time I spent pumping chlorine into a large smelter to make other chemicals, I’ve never though much about how that fits into what I do now, so I left it off. I have enough achievements that do count so that I feel comfortable skipping some of the also-ran jobs I’ve had.
But then again, it’s not that bad to include them. While my life in the army doesn’t directly relate to my job, except when we need a temporary project manager to fix something that has gone greatly awry. That’s when the more direct leadership skills come into play.
Similar Posts:
Posted in Odds-n-Sods | No Comments »